This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM End User Portal - Reason Denied

 I have a single user that cannot login to the End User Portal.

Things I have checked looking at other forum threads:

  • The user's password doesn't expire until the end of the month
  • The user's password is entered correctly
  • Security Event log on the PDC shows valid authentication
  • Definitions & Users > Auth Services > Servers > AD Server => Test authenticates properly
  • A newly created user works perfectly fine
  • I allow all users to access the portal
  • Automatic user creation is enabled
  • AD Background sync is enabled

I did notice that the user in question did not populate under the users tab, however my brand new test user did.

Here are the log entries:

2017:10:02-15:50:18 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="Trying PDC-IP (radius)"
2017:10:02-15:50:18 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="Trying PDC-IP (adirectory)"
2017:10:02-15:50:19 remote aua[3489]: Use of uninitialized value $email in regexp compilation at aua.pl line 3070.
2017:10:02-15:50:22 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="updateUserObject: failed to set object for user "USERNAME" - error "AAA_USER_EMAIL_PRIMARY""
2017:10:02-15:50:22 remote aua[17782]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="PDC-IP" host="" user="USERNAME" caller="portal" reason="DENIED"
 
I noticed the AAA_USER_EMAIL_PRIMARY error but could not find any information about it. I did notice that it appears on users that are able to login as well. We did just migrate to Office365 and had to adjust the ProxyAddresses and the UPN to reflect the email address rather than internal domain.


This thread was automatically locked due to age.
Parents
  • "I did notice that the user in question did not populate under the users tab, however my brand new test user did."

    Hmmm. Try an experiment.  At the bottom of the 'Advanced' tab in 'Definitions & Users >> Authentication Services', configure 'Prefetch Directory Users' to sync your problem user and hit [Apply]. Start the Prefetch Live Log, wait for a moment to give it time to start up and then click on [Prefetch Now].

    My guess is that the remotely-authenticated user object won't be created because there's a conflict with an email address entered for a locally-authenticated user object.  What did you see?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have another user that is experiencing the same thing. I would much rather fix the underlying issue rather than prefetch as a workaround. Any thoughts on things that I can try?

    Or should I just prefetch as a standard? I have less than 50 users at this location.

  • If prefetch won't work, it's because there's already a User object that conflicts with the remotely authenticated one you're trying to create.  This would be a user with an identical name or email address.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Prefetch does work. I do not manually create any user objects, they are all created by the UTM so I'm not sure how there would be a duplicate?

Reply Children
  • If I had two users in AD, Bob1 and Bob2, and they both had email address bob@mydomain.com, Bob2 could not be synced if Bob1 already existed in the UTM as a remotely-authenticated user object.  You should see any conflict in the Prefetch Live Log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA